From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from gandalf.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3])
	by passt.top (Postfix) with ESMTPS id 353FE5A026D
	for <passt-dev@passt.top>; Fri, 14 Oct 2022 06:25:49 +0200 (CEST)
Received: by gandalf.ozlabs.org (Postfix, from userid 1007)
	id 4MpYGW4l8Cz4xH8; Fri, 14 Oct 2022 15:25:39 +1100 (AEDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gibson.dropbear.id.au; s=201602; t=1665721539;
	bh=3ql0JyUWEIneNBHPiN1f0jg0675Z6c0EDUf3RuRYyzY=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=bj7nxRnijPAUQOt3CjmhW/Z+/iqzCUUdUPbGzplf0Aed3bnTwoAmF46nOqAkDuXXf
	 GRTr5COn/zqgZqUKsuKYKdIUSygZs797ok3I2Zrand8NB1yXcXqU67H+CCkmdEoCP1
	 5CxHAoeykDnB3gfzBJ3F3qt+JZAiWJyAYmyc+5OI=
From: David Gibson <david@gibson.dropbear.id.au>
To: Stefano Brivio <sbrivio@redhat.com>
Subject: [PATCH v2 07/11] isolation: Refactor isolate_user() to allow for a common exit path
Date: Fri, 14 Oct 2022 15:25:33 +1100
Message-Id: <20221014042537.2466015-8-david@gibson.dropbear.id.au>
X-Mailer: git-send-email 2.37.3
In-Reply-To: <20221014042537.2466015-1-david@gibson.dropbear.id.au>
References: <20221014042537.2466015-1-david@gibson.dropbear.id.au>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-ID-Hash: TD4LTLECMAV4IIILZ4BSULKKWMWMFLNA
X-Message-ID-Hash: TD4LTLECMAV4IIILZ4BSULKKWMWMFLNA
X-MailFrom: dgibson@gandalf.ozlabs.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: passt-dev@passt.top, David Gibson <david@gibson.dropbear.id.au>
X-Mailman-Version: 3.3.3
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <>
Archived-At: <https://archives.passt.top/passt-dev/20221014042537.2466015-8-david@gibson.dropbear.id.au/>
List-Archive: <>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

Currently, isolate_user() exits early if the --netns-only option is given.
That works for now, but shortly we're going to want to add some logic to
go at the end of isolate_user() that needs to run in all cases: joining a
given userns, creating a new userns, or staying in our original userns
(--netns-only).

To avoid muddying those changes, here we reorganize isolate_user() to have
a common exit path for all cases.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
---
 isolation.c | 40 ++++++++++++++++------------------------
 1 file changed, 16 insertions(+), 24 deletions(-)

diff --git a/isolation.c b/isolation.c
index fda9cad..211c26f 100644
--- a/isolation.c
+++ b/isolation.c
@@ -129,9 +129,6 @@ void isolate_initial(void)
  */
 void isolate_user(uid_t uid, gid_t gid, bool use_userns, const char *userns)
 {
-	char uidmap[BUFSIZ];
-	char gidmap[BUFSIZ];
-
 	/* First set our UID & GID in the original namespace */
 	if (setgroups(0, NULL)) {
 		/* If we don't have CAP_SETGID, this will EPERM */
@@ -152,12 +149,7 @@ void isolate_user(uid_t uid, gid_t gid, bool use_userns, const char *userns)
 		exit(EXIT_FAILURE);
 	}
 
-	/* If we're told not to use a userns, nothing more to do */
-	if (!use_userns)
-		return;
-
-	/* Otherwise, if given a userns, join it */
-	if (*userns) {
+	if (*userns) { /* If given a userns, join it */
 		int ufd;
 
 		ufd = open(userns, O_RDONLY | O_CLOEXEC);
@@ -174,24 +166,24 @@ void isolate_user(uid_t uid, gid_t gid, bool use_userns, const char *userns)
 		}
 
 		close(ufd);
+	} else if (use_userns) { /* Create and join a new userns */
+		char uidmap[BUFSIZ];
+		char gidmap[BUFSIZ];
 
-		return;
-	}
-
-	/* Otherwise, create our own userns */
-	if (unshare(CLONE_NEWUSER) != 0) {
-		err("Couldn't create user namespace: %s", strerror(errno));
-		exit(EXIT_FAILURE);
-	}
+		if (unshare(CLONE_NEWUSER) != 0) {
+			err("Couldn't create user namespace: %s", strerror(errno));
+			exit(EXIT_FAILURE);
+		}
 
-	/* Configure user and group mappings */
-	snprintf(uidmap, BUFSIZ, "0 %u 1", uid);
-	snprintf(gidmap, BUFSIZ, "0 %u 1", gid);
+		/* Configure user and group mappings */
+		snprintf(uidmap, BUFSIZ, "0 %u 1", uid);
+		snprintf(gidmap, BUFSIZ, "0 %u 1", gid);
 
-	if (write_file("/proc/self/uid_map", uidmap) ||
-	    write_file("/proc/self/setgroups", "deny") ||
-	    write_file("/proc/self/gid_map", gidmap)) {
-		warn("Couldn't configure user namespace");
+		if (write_file("/proc/self/uid_map", uidmap) ||
+		    write_file("/proc/self/setgroups", "deny") ||
+		    write_file("/proc/self/gid_map", gidmap)) {
+			warn("Couldn't configure user namespace");
+		}
 	}
 }
 
-- 
2.37.3